Hi Peter,
I tested out the latest nightly build and everything worked fine except for one small hiccup. The fix for creating the IPSec root/host certificate set still gave the same error when first attempted but then created it if the attempt was directly made again.
Turns out the addition of unique_subject = yes to /var/ipfire/certs/index.txt.attr is only done in the vpnmain.cgi after the root/host creation was attempted the first time.
The patch below ensures that the index.txt.attr file has the unique_subject = yes entry the first time the root/host certificate set creation is attempted.
Apart from the above, all the other things I was able to test in IPSec and OpenVPN worked with that latest nightly.
Regards,
Adolf.
On 06/06/2023 12:40, Adolf Belka wrote:
- The fix applied in vpnmain.cgi only adds the unique_subject = yes to the index.txt.attr file after the first time that the root/host certificates are attempted to be created.
- Without this line in update.sh, the first attempt to create the root/host certificate set will still have the original error code. If the creation is attempted again then it will work because the unique_subject = yes will have then been added into the file.
- This patch ensures that the first attempt to create a root/host certificate set in CU175 will work.
- Confirmed on vm testbed with freshly updated CU175.
Fixes: Bug#13138 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
config/rootfiles/core/175/update.sh | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/rootfiles/core/175/update.sh b/config/rootfiles/core/175/update.sh index 82676bc72..f1c6873c1 100644 --- a/config/rootfiles/core/175/update.sh +++ b/config/rootfiles/core/175/update.sh @@ -191,6 +191,9 @@ if [ -s /var/ipfire/ovpn/ovpnconfig ]; then done fi
+## Add unique_subject = yes to vpn index.txt.attr file +echo "unique_subject = yes" > /var/ipfire/certs/index.txt.attr
- # This update needs a reboot... touch /var/run/need_reboot